Hello,

On 9/19/11 5:54 PM, tomsc wrote:

Hi everyone,

I'd like to check that a client certificat is revoked or not against a crl. Actually, opensips use context SSL_CTX. How can I do with this context?

I do this change to load the crl :

load_crl(SSL_CTX * ctx, char *filename) { LM_DBG("entered load crl\n"); X509_STORE *pStore = SSL_CTX_get_cert_store(ctx); X509_LOOKUP* plookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file()); if (!X509_load_crl_file(plookup, filename, X509_FILETYPE_PEM)){ LM_ERR("unable to load certificate file '%s'\n", filename); return -1; }

     LM_DBG("'%s' successfuly loaded\n", filename);

return 0; }

But I dont know how to add flags, is it the right solution?

first you sent the message to the wrong mailing list. Here we discuss about Kamailio (OpenSER) and SIP Express Router (SER).

Second, kamailio/ser has CRL support for long time. So you just need to set the path to crl file to tls module parameter 'crl' in config file and that's all you have to do: http://kamailio.org/docs/modules/stable/modules/tls.html#crl

Part of next tutorial shows how to install tls in version 3.1.x for debian distro, which is really simple: http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour

It is not experimental TLS support like in other places, tls config file can be reloaded at runtime without restart, see more in the readme of the tls module:

http://kamailio.org/docs/modules/stable/modules/tls.html

The default config file of kamailio has also notes about TLS support -- very easy to enable by adding #!define WITH_TLS Cheers, Daniel